AWS to SAML-P IDP hosted by Azure AD


First, we configure the IDP Connection (in which AWS logically points at the IDP endpoints, learned from IDP metadata) – recalling the AWS gotchas.

image

image

Provider ARN

arn:aws:iam::385727861301:saml-provider/PPE

Provider Type

SAML

Creation Time

2015-07-20 15:13 PDT

Then we configure the SP/SP adaptor (in Ping parlance) that is a part of AWS “role” setup, per the instructions at https://msdn.microsoft.com/en-us/library/azure/dn706228.aspx

image

Attribute

SAML:aud

Value

https://signin.aws.amazon.com/saml

Looking at the SP connection (to AWS) in the AAD setup manager, we see for connection attributes:

image

Per the tutorial we add role and mail attribute name/values:

https://aws.amazon.com/SAML/Attributes/Role : arn:aws:iam::385727861301:saml-provider/PPE

https://aws.amazon.com/SAML/Attributes/RoleSessionName: mail

image

Turning now to the main parameters of the AAD-side SP connection:

image

image

using the signup wizard

image

When we try the initiating URI

GET https://myapps.microsoft.com/signin/Amazon%20Web%20Services%20(AWS)/8b1025e41dd2430ba1502ef79cd700f5 HTTP/1.1

we see a redirect to 

GET https://account.activedirectory.windowsazure.com/applications/signin/Amazon%20Web%20Services%20(AWS)/8b1025e41dd2430ba1502ef79cd700f5 HTTP/1.1

 

followed by an openid handshake (somewhat surprisingly):

 

GET https://login.microsoftonline.com/common/oauth2/authorize?client_id=0000000c-0000-0000-c000-000000000000&redirect_uri=https%3A%2F%2Faccount.activedirectory.windowsazure.com%2F&response_mode=form_post&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3D5AXRYHTy6jr_jeBhxOx1ci8tTEwmvkIqz_Z_qgR0Wd0kDa8J_Ah_1ghY2E3o3B72cF9Hx97h1pZgthNE_ouDhLKv2X1tG5rT8iQ3oGbNuEPayPfZGuBN2BjkRdk5K8VmvG1p27kiaewyGXk3-5K7zM99ZYltTUnOWq1pIBOAzbhMRfyhBryA2hn2v1Eho-enuvYr_npWUPY6F8uyf7-biS0UGqdWeA7LzNwar2ZPPyI6JKbbq9FyHRZ447KbTiJ0JUTAT7mdRl5nFMd1Xuo2p4L2MiDpu8bNk3ldJwOe37D0WmUsIYVw7fT0qnIleFIXwGXaPXSym776o8Hku4tzb1CnNS3upTE8XRjKzxvmuqiNRvBQjElwPgEeX97xeH-L8IPVEE50U-_zhF-ZCJylUg&nonce=1437431812.oLzcSLkq5lOQ8pNnCrboew&nux=1 HTTP/1.1

I’ll guess we are seeing some kind of openid connect to SAML gateway in operation.

we see the live.com IDP assert a code-grant to the gateway:

<html><head><title>Working…</title></head><body><form method=”POST” name=”hiddenform” action=”https://account.activedirectory.windowsazure.com/”><input type=”hidden” name=”code” value=”…” /><input type=”hidden” name=”id_token” value=”…” /><input type=”hidden” name=”state” value=”OpenIdConnect.AuthenticationProperties=5AXRYHTy6jr_jeBhxOx1ci8tTEwmvkIqz_Z_qgR0Wd0kDa8J_Ah_1ghY2E3o3B72cF9Hx97h1pZgthNE_ouDhLKv2X1tG5rT8iQ3oGbNuEPayPfZGuBN2BjkRdk5K8VmvG1p27kiaewyGXk3-5K7zM99ZYltTUnOWq1pIBOAzbhMRfyhBryA2hn2v1Eho-enuvYr_npWUPY6F8uyf7-biS0UGqdWeA7LzNwar2ZPPyI6JKbbq9FyHRZ447KbTiJ0JUTAT7mdRl5nFMd1Xuo2p4L2MiDpu8bNk3ldJwOe37D0WmUsIYVw7fT0qnIleFIXwGXaPXSym776o8Hku4tzb1CnNS3upTE8XRjKzxvmuqiNRvBQjElwPgEeX97xeH-L8IPVEE50U-_zhF-ZCJylUg” /><input type=”hidden” name=”session_state” value=”e2c316b5-e8fe-442c-a7c0-72053483d2f6″ /><noscript><p>Script is disabled. Click Submit to continue.</p><input type=”submit” value=”Submit” /></noscript></form><script language=”javascript”>window.setTimeout(‘document.forms[0].submit()’, 0);</script></body></html>

We then see the second phase of the gateway:

GET https://account.activedirectory.windowsazure.com/applications/redirecttoapplication.aspx?Operation=LinkedSignIn&applicationLinkName=Amazon%20Web%20Services%20(AWS)&applicationId=8b1025e41dd2430ba1502ef79cd700f5 HTTP/1.1

 

When using a live.com account we hit various problems. We get a little when swapping to admin@netmagic.onmicrosoft.com, having declared this user authorized to assert through the SP Connection. we see that out gatewaying process (that now has a user session) can pretend to be the SP and issue a SAML request:

GET https://login.microsoftonline.com/bcbf53cf-af9a-4584-b4c9-6d8b01b3781d/saml2?SAMLRequest=jVHLasMwEPwVo3v8Sh0nwjaYhkIgLSFpe%2BhtLW0agSW5Wjl9fH0dh5ZC6eM6zMzO7BQEuu143fuD2eJTj%2BSDF90aKlnvDLdAirgBjcS94Lv6es3TMOYaPUjwwILVsmRKymwuZot50zR5chGn%2BSKT2EA2nQoBmGYzFtyjI2VNyQb5oCLqcWXIg%2FEDFCfZJM4naXybpjzOeZaHyWL2cOJtgEgdsWR7aAlZUBOh84PTpTXUa3Q7dEcl8G67LtnB%2B454FJF6NMqE8EwhaHizJhRWR6eq7NyOj7V%2F79g5662wLauKMa77z2PgIx6r%2Fg5TRGfjqjivcDPYrZYb2yrxGlxZp8H%2FfC0JkxFRcrIfqRw1qLaW0iHREDr6bvoJft27egc%3D HTTP/1.1

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in AAD, Azure AD. Bookmark the permalink.